Staff

Technical Tip: GRE + IPSec not supported for NP7 offloading

Forum|Forum|1 year ago
February 14, 2025
0 replies
1020 views

Description

This article describes one scenario (GRE + IPSec) that is unsupported for NP7 offloading.

Scope

FortiGate.

Solution

NP7 offloading supports the GRE tunnel, including terminating on FortiGate or passing through FortiGate.NP7 offloading supports the IPSec VPN tunnel.

However, if the traffic is GRE + IPSec VPN, whether it is GRE passing through the IPSec VPN or GRE over IPSec, it is not supported for NP7 offloading.

The workaround is to configure 2 VDOMs, with IPSec terminated in 1 VDOM and GRE terminated in another VDOM.

For example:

Root VDOM is used to establish VPN to the remote side.
DMZ VDOM is used to establish GRE tunnel to remote side.

Related documents:

NP7 session fast path requirements

Tunneling protocols that can be offloaded by NP7 processors

Protocols that can be offloaded by NP7 processors

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded